With the ever increasing demand for online content, web server systems are being adapted to handle requests for content from a growing number of client devices. The greater demand for content not only imposes a burden on the computing resources required to efficiently respond to the requests, but also exposes web servers and client devices that communicate with the web servers, to a variety of security risks. In some cases, for example, malware may surreptitiously infect client devices and be programmed to exploit web pages or other served content on the client devices. Once a web page has been compromised, malware may use the web page as a portal for further illicit actions involving a web server, such as to complete unauthorized transactions on a banking or e-commerce website.
Web servers commonly encounter communications from both benign and malicious client devices. At least a first portion of traffic for web server systems may originate from client devices that are either compromised by malware or that are at a significant risk of being compromised. On the other hand, some traffic originates from trusted client devices that have a very low risk of security threats. For example, website administrators may frequently access their site to test various site features using trusted equipment over a private network where the risk of a security vulnerability being exploited is minimal. As another example, websites are commonly crawled by web bots for indexing purposes on behalf of trusted, well-known search engines. Web server requests generally include one or more pieces of network or header information such as an IP address associated with the client device that is making the request, an indication of the protocol for the request, source and destination port numbers, and application layer header values.